Tech Talk by Roland Schorr & Tower

This was very useful information! (In your usual form). Thanks Ben!

I hope Android 5 coming soon

Software runs on hardware, what runs in the cloud is called vapourware.
Sorry Ben, it is Saturday night and I am online.

My hubby and I are trying to find a mobile personal wifi that won't kill us financially. And work at least 1/2 way decent. This is only occasional as we have a router at home and so only for times like camp for a few days at a time or ocassional weekend travel. We thought Virgin Mobile would be a good option but seeing a lot of complaints. Is anyone aware of other options out there for no contract mobile personal wifi, or mifi that you are aware of. Thank you so much for any help!

O.K., follow-up. I never heard back from Tina, but I did get a call from Karen (who I think is one of the SuddenLink staffers I talked to earlier in the week). She left a message yesterday a bit before 1PM saying that they could install yesterday before 4PM and I should call her back to confirm. I called her back just after 1:30PM and got her voicemail...which was full, so I couldn't leave a message. I tried to call her back a few more times but got voicemail each time.

Then, just after 2PM, I got a call from Scott; a SuddenLink tech. He informed me that we had an install appointment between 1P and 3P and that he was standing on my doorstep but nobody was home. Of course, this is the first I'd heard that we had an actual appointment, but I assured him that I was on the way home and would be there in 15 minutes. He said that was fine, he had some things he needed to do on the outside of the house anyhow.

Upshot of it...I got home, Scott did the install, and now I have Internet again.

I like SuddenLink's product. It's reliable Internet service at a reasonable price. It's not as fast as I'd like, but Scott and his partner assured me that over the next 18 months SuddenLink would be making some significant upgrades to their speeds. Good. But I will say that SuddenLink customer service is a bit slapdash. They're all friendly but there seems to be a lot of confusion going on there. Nobody seems to know what anybody else is doing and it can be a chore to get an issue resolved. Hopefully those are just growing pains.

The other provider in town, Qwest/Century Link is primarily a DSL provider. I'm not a huge fan of DSL, though it's fine for some installations. Currently their product isn't as good here in Flagstaff. In most parts of Flag they can offer, at best, 12Mbps which - just isn't that fast. I understand they too are upgrading their network and hope to roll out 40Mbps service to most of the town in the next year or so. I hope they do, competition can only make both providers better.

I happen to be trying out Virgin Mobile's service on a Android phone. So far I have had no dropped calls and the 3G service has been pretty good. All for $25 per month - not bad.

Thanks Tina, I've sent you an e-mail to follow-up. I have to say that I *HAVE* found SuddenLink staffers, like Tina, to be friendly and even sympathetic. However...it's results that count and so far the results are still 8 days of no Internet access.

I'll let you know if Tina is able to improve the situation.

Hi Ben – My name is Tina and I am with Suddenlink. I am very sorry to hear about you’re the issues you are having regarding your internet service installation. I’d be happy to work with management in the Flagstaff area and see if we can move your install up sooner than Friday. Please feel free to contact me directly at [E-Mail Redacted] for assistance. Thank you.

Most Windows applications do and I haven't found a Mac application that wouldn't yet. I agree that some web applications still don't allow spaces (the most common problem I've found) but you can get around that by substituting something else for the space. Commonly an underscore character ("_") is used for a space, but you could also use a zero ("0") if it's really picky about special characters.

So "My 2 dogs are really cute!" becomes "My02dogs0are0really0cute!" which is still pretty strong.

As for those sites that don't allow passphrases of 19 characters we need to put some pressure on them to get more secure. I have seen the very occasional site that caps their passphrases at 8 or 10 characters but they need to realize that short passwords are increasingly vulnerable. A lesson we should understand all-too-well in the wake of Lulzsec and Anonymous wreaking havoc on Sony and the others.

Thanks for writing!

How many applications, sites etc will actually accept 19 characters, let alone spaces. I have a whole slew of sites that actually fail when you just try to use special characters, only accepting Alpha and numbers ...

Besides that ... I fully agree and support your blogpost. I still hope some time someone invents the onetime ultimate authentication device. :-)

I have only begun to dabble but like what I see. As to advantages of a SaaS product being largely lost when you self-install, it should not be such a big deal with this software. Let's follow the theoretical user experience from Flash client into the server.

DynDNS works anywhere and does not require a C Sci degree or corporate Internet presence, just a reliable broadband connection and a bit of intelligence to set up. If you got through law school you should be able to figure this out, and once it's done it's done.

Once a connection gets inside the firm - or home in my case - the local router can route traffic on the app's port(s) to a specific local IP on a PC or Mac. That again should be an easy one-time setup, assuming your router is reliable and properly secured, which it should be anyhow if you keep client data. I always use WPA security plus a whitelist of MAC addresses. If the device trying to connect isn't on my whitelist, the router won't even listen and so cannot get hacked, but that's all tangential to making this work.

The PC or Mac running HoudiniESQ can apparently be any modern Mac or PC as long as it doesn't power down while accessed from outside, is properly configured and secured, and has a dedicated internal IP address. None of this is rocket or computer science.

From what I read, the configuration of HoudiniESQ itself should be a breeze. I will know soon, but the whole point of using a Flash client and Java server is to make it all flexible and relatively independent of the architecture. That inherent separation should minimize the IT woes some fear.

Personally, if I had a grand to burn I'd buy a Mac mini with dual hard drives set for RAID mirroring (that takes tweaking) and the three-year extended warranty, setup OS X Time Machine with external USB drive to back it up, and dedicate it to this - i.e. in a cool, clean, dark closet, not for other uses. Should pay for itself in a year. Run Software Update once a month just to be sure. You could do likewise with a good Windows box, but I favor the security and simplicity of OS X. I'd really favor Linux, but that's not (yet) a solo option, right?

Any tech-savvy person should be able to configure all of this in an hour or two, I suspect. If you can't, hire a good tech for a couple hundred. Once configured, it shouldn't need much maintenance and eliminates concerns about SaaS. You own the network, etc.

All SaaS products - HoudiniESQ, RocketMatter, Clio, NetDocuments - involve trade-offs. A bit of risk and expense in exchange for no local hardware or installation hassles.

Those points about being cut off with no warning and about where the software might be stored are valid concerns, but Frank's right about the logical separation of an instance. No provider can offer physical separation without passing the cost on to the user, i.e. hundreds/month, and there is no good reason to do so. I say that not as a lawyer but as a former sysadmin with two decades of experience.

My thoughts may change after I install on this iMac and start playing over the weekend.

I would hope that most people would use common sense and know that anything they put in the cloud, on someone elses hardware, is pretty much fair game for the "developers" to peek at.
If not, then I'm sure they think those "dress-up" pictures on your hard-drive were never gawked at when you took your PC in repair... yea. I'm sure.
Don't put it in the cloud if you don't want someone somewhere to potentially peek at it.

Legal or illegal, if accessing your personal data is possible at the server, someone will do it if the stakes are high enough. What if you're dating the ex-wife of a jealous dropbox employee (an incident that once happened at Google)?

Just use a service that encrypts your data at *client* side. For example:

• http://www.wuala.com/en/learn/features/t/2
• https://spideroak.com/faq/questions/3/does_spideroak_use_encryption_when_storing_and_transferring_data

The DropBox license also covers the use of the "public" folder. Otherwise you could drag something into that and then sue them for publishing it. Bingo, free money.

People tend to focus only on their own limited use of Dropbox, not on all the things it CAN do that need to be covered by the TOS.

I think they are very clear and Mildred is right:
http://blog.dropbox.com/?p=846

This is one of the reasons I encrypt the files I store on Dropbox.

@Elspeth Kovar

You hit the nail on the head. I think a lot of people are shocked that creative folks, like writers and artists are taking off.

The comment which we deem reasonable is so vague, I could not trust it anymore.

After looking over many different ones. I chose SpiderOak. They make it clear they are not interested in what your files hold, they want to make sure their employees don't have access (something dropbox can't guarantee.).

My husband made a good point about this fiasco. What if it is a way to clear server space for more paying customers. Because most people I know that use it the free 2 gb is more than they need.

i always loved DropBox but now i think otherwise i might use box.net btw i am a free user i don't want to pay...:P

""The very words "distribute" and "publicly display" should be all you really need to hear."

Right... because that is what you're asking DropBox to do for you. How do you expect them to do it if you don't give them a license?"

Well, no. I'm asking Dropbox to sync files between MY devices. In order to do that they do NOT have to have access to the files - case in point if I encrypt my data with TrueCrypt Dropbox still works for syncing between my devices (or to anybody else if I gave them my decryption key).

As Ed Bott points out, Dropbox isn't any worse than a lot of other services in this regard. But...those are all services that are not suitable for confidential documents. There are plenty of other files you can happily and successfully use Dropbox or Google Docs or SkyDrive to host.

Good article. Yet one thing bugs me. When I read about security or lack thereof, I hardly ever here about solutions.

So … If you use a Mac, and would like easy to use strong encryption. The good folks over at GPGTools have a real workable solution. Yes GPG has been around for a long time, and terrific work is being done. One of the newer additions is “Service Menu” GPG tools it allows one to encrypt or decrypt any file from the service menu. or any text block in any service aware program.

It all comes in a single install. Easy. Free. and auto updates…. head on over and pick it up.

http://www.gpgtools.org/projects.html

(they are working on an iOS version)

Wow thanks for bringing this to our attention! I'm so pissed! I am even more disappointed that Google Docs has a similar TOC clause because I was going to move everything there and use insynchq for the uploading service. Now I'm not sure what to do....

"The very words "distribute" and "publicly display" should be all you really need to hear."

Right... because that is what you're asking DropBox to do for you. How do you expect them to do it if you don't give them a license?

"You're missing an important part of the language you quote -- "to the extent reasonably necessary for the Service." This means they don't have the right to "your stuff" for any other purpose than to provide the service to you. They don't own it, can't republish it etc. etc. unless that's part of serving you."

Well, yes, that qualifier exists but who gets to determine what's "reasonably necessary for the service"? And ultimately...it doesn't matter. The fact remains that you're giving access to some anonymous group of Cloud techies, regardless of how well-intentioned. If the data you're uploading is confidential or sensitive then you should seriously rethink that plan.

That's why I encourage anybody who intends to use Dropbox (or similar services) for confidential or sensitive materials to encrypt the data BEFORE uploading it. Then it's secure.

You're missing an important part of the language you quote -- "to the extent reasonably necessary for the Service." This means they don't have the right to "your stuff" for any other purpose than to provide the service to you. They don't own it, can't republish it etc. etc. unless that's part of serving you.

If you are a lawyer or insurance broker entrusted with private, confidential information of clients the best option for file sharing is tonido (www.tonido.com).

With tonido, the data resides in your computer but you can access it from anywhere.

Dropbox didn't change the part that has people involved in any creative field -- authors, editors, columnists, artists, publishers, reviewers etc -- leaving Dropbox in droves:

"you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions). . . "

Thanks for the information and research Ben. As a District Technology Support for a school district and private consultant I am always reading and advising people on security, or setting up things like sync for a company.

I am currently looking at other sites for my clients because I have lost faith in Dropbox. Encrypting data is not a great thing across devices because you need to decrypt it on the other side, but of course you could auto mount the volume after DropBox syncs with TrueCrypt. I haven't tried sharing the volume and syncing, but I know it does work with one person mounting and adding with DropBox syncing.

You can pay for Dropbox as well

Well...you've all probably heard the expression: "If you didn't pay for the product then you *ARE* the product."

Thats why you back up your data on your own server instead of other peoples server.

http://fak3r.com/geek/howto-build-your-own-open-source-dropbox-clone/


Or something like that with rsynch... Srsly people... Every company just wants an "in" to your data. Toolbars, services, mail clients, photos databases, its a recurring theme of the data mining generation.

Well, actually, on Facebook if you friend somebody they have to either "Confirm" or "Ignore" your friend request (or defer it). If they confirm then you guys are "Friends" and that's a reciprocal connection. You're their "friend" as much as they're yours.

That's different from Twitter where 10 million anonymous people can Follow Lady Gaga and she doesn't have to do anything or even be aware of it. Even on the "private" Twitter accounts where the tweets are protected - they have to approve you to follow them, but they still don't have to follow you.

A "Friend" in Facebook is automatically a reciprocal relationship.

That is an interesting analysis of Twitter. However, it makes an assumption that your "friending" someone on Facebook means they will also "friend" you back, which is not always the case. Just as people don't have to follow you on Twitter, they don't have to "friend" you on Facebook.

I was going to tease you about being married and looking for a date, but this is a very good tip.
I now have it on a postit. I know the date I am looking for, but I usually end up scrolling back and forth through several directories. This is far more elegant.

I don't have a firm publish date but I have now submitted the final manuscript so I'm sure the ABA is hard at work getting the layout done so it can go off to the printers. We should be accepting pre-orders soon and have it in print very soon after.

Do you have a publish date yet for your revised book for Office 2010?

THIS IS A OLD ARTICLE.

FOR THE MOST UP TO DATE INFORMATION REGARDING HOUDINIESQ SEE

houdiniesq (dot) com

To help with the filing issues related to Outlook folders and subfolders, purchase Simply File. The best $50 I have spent in a long time. It makes filing emails in folders and subfolders very easy.

http://www.techhit.com/SimplyFile/

Tick tock... Two years down, three to go until we get Steve's stamp of approval.

My take is much simpler: Lawyers want to lawyer, they are not interested in "how" the process works, only "that" the process works. 24/7. No excuses. The 20-something Crackberry'd lawyers pushing Saas today remind me of the 20-something MBA geniuses who believed that Wall Street always made money and that there was no such thing as a Black Swan (see "The Black Swan: The Impact of the Highly Improbable"). The only difference between an MBA and a lawyer is that MBA's will not lose their license to work if they lose their clients' money because of a computer failure. Lawyers do and will. Only after (if?) SaaS has been around for 5 years will I begin to recommend it to my law firm clients. It's good to remember that it's the pioneers who get the arrows in their backs.

This is the same kind of fluff printed during the ASP buzz.

The Cloud (I use the term in its broadest sense) isn't worry free.

It may be a new term or buzzword but we still have the same concerns we did 10 years ago when the Cloud was called ASP. As the architect of the first Web-based legal practice software in the industry, TimeMatters WorldServer, I can honestly tell you all that nothing has changed, seriously. No vendor can make any guarantees of 100% availability or that their service is 100% secure. Servers and network devices all fail eventually. Before selecting a SaaS vendor read their TOS.

Every law firm MUST carefully evaluate the wins and losses of going paperless via SaaS. Wins are easy to quantify (cost savings). Loses on the other hand are harder.

There are many areas of Law that are practiced, each with its own unique requirements. Each law firm must consider many things including how they conduct their day-to-day business. Every SaaS vendor has their own spin on how software as a service is delivered to its users and the user experience is different with each. What features must you have or can live without? How do you feel about your data being located at an unknown location (potentially offshore)? How secure is the data transported between the server and the client machines? Is the data available offline? How are documents stored, backed up? What about accessibility, will the vendor close its doors or stop the service altogether. Remember Microsoft's Windows Live Academic Search. Lawyers were excited, we were. A huge disappointment, you still have to pay Lexis or West for now because Google Scholar just isn't enough.

Going paperless is a wonderful thing. It helps your firms bottom line and the environment but it isn't the right solution for every firm. As a SaaS vendor I find this article irresponsible to the community our firm serves by its omission of what must be considered when going paperless via SaaS.

If you are considering using SaaS then make it your mission to get the facts as they relate to your practice first.

Just my 2 cents

Frank Rivera
HoudiniESQ

Ben, I agree whole heartedly. These types of articles remind me of all the fluff published during the ASP hype.

Mr Nolan's isn't the only article full of fluff, Seth Roland sited Advologix PM as a desktop type application (among other things) which gave an entirely wrong impression (to the uninformed) of what to expect from this SaaS (Software as a Service) provider. The community is really misinformed and confused by these types of articles. I think we need to cut through the bull. A great place to start is with the terminology.

Let's stop painting everything with the Cloud brush.

The fact of the matter is 98% of all web based offerings are nothing more than the same old manure that was available nearly 10 years ago. What was once called ASP is now called SaaS.

SaaS the Cloud and Cloud computing are entirely different things.

"The Cloud" is not a few webpages connected to a database (the 98% so called Cloud offerings sited in 99% of the articles). This isn't the Cloud or Cloud computing for that matter but just a web-based application. The fact that you pay monthly doesn't change a thing. How is AOL any different than what is being offered. Web-based + monthly charge. So what's new?

As a vendor when we say Cloud we are technically referring to consuming computing power like you would electricity. If and when we need more we simply consume and pay for what we use. Your SaaS provider doesn't provide you more computing power if you need it and your monthly rate stays the same regardless if you use it or not. I'm over simplifying of course but my point is, a web-based application and a monthly bill don't make anything Cloud.

WE ALL HAVE THE SAME CONCERNS AND ISSUES THAT WE DID 10 YEARS AGO. CALL IT SAAS, ASP, OR WHATEVER YOU LIKE. NOTHING HAS CHANGED EXCEPT THE BUZZ WORD. THE ONLY SECURE DIGITAL FILE IS ONE THAT IS OF NO USE TO ANYONE. THERE ARE NO GUARANTEES. THERE WEREN'T ANY 10 YEARS AGO AND THERE AREN'T ANY TODAY. ANYONE WHO PUBLISHES SUCH NONE-SENSE IS BEING IRRESPONSIBLE .

Google is nothing more than SaaS, Amazon EC2 on the other hand is Cloud computing. Two different beast. So lets call a orange a orange and an apple a apple and stop confusing everyone.

Frank Rivera
CEO HoudiniESQ

Aloha Saqib,

I think I've already elaborated on my security concerns with cloud computing - just read some of the other posts here in the blog. :-)

At the most basic conceptual level cloud computing is pushing your data further from your own control. It's no longer in your office or even in your building. It's now "out there" somewhere being controlled by people you've never met, or worse by people they've outsourced to and THEY'VE never met. You don't know for sure where it is, you may not even know for sure what country it's in. You can't say for sure how many copies of it have been made but you hope at least one copy (backup) has been made.

And there are a number of scenarios where your access to your data could be cut off completely; either temporarily or permanently.

And don't get me started on eDiscovery, multi-tenancy, compliance auditing, document retention...

If that doesn't sound like a security issue to you...well. :-)

-B-

The boss walks by just as the new paralegel is entering a password on the computer. He sees 'mickyminniedonaldhueydeweylouie'.
"Thats an impressive passphrase, how did you come up with it?"
"Well,"says the paralegal "the instructions said it had to be at least 6 characters long."

Aloha Ben,

I agree that Cloud Computing is not the end-all prescription for "all" security issues. But it helps where the internal/outsourced IT support lacks.

Going back to the analogy, I would have agreed with you if there ware no unhealthy side-effects of smoking.

You seems to be of the opinion that there are gaping security issues with Cloud Computing in general. Care to elaborate?

Thanks,
Saqib

Saqib, I think it's debatable as to whether or not there's anything inherently wrong with Cloud Computing but in any event that's not really the point of the analogy. It's about relative wellness, not absolute wellness. It's about whether or not the cure is appropriate to the disease.

In this case the point of the analogy is that just as smoking is not the right cure for obesity, even though it does seem to have beneficial effects on weight, Cloud Computing is not the right cure for computer security issues. Even though in some cases it might be more secure than the internal systems many lawyers are running.

The correct way to lose weight is through diet and exercise. The correct way to secure your data is through a set of well thought out policies supported by carefully selected, and properly maintained, products.

Best wishes and aloha,

-B-

Ben,

I disagree with your analogy. Both smoking and obesity are plain unhealthy, whereas there is nothing inherently wrong with Cloud Computing. CC is not inherently in-secure or a bad practice. So your analogy is mis-leading.

Saqib

Aloha Jack,

Actually I may not have been that clear, but in that quote I'm referring to you as the third-party. (Me and my client being first and second-parties) The "fourth party" would then be the "enterprise-class datacenter" that you're outsourcing to.

Hopefully there isn't a fifth party, but from the current TOS it's not clear how the customer would be assured of that.

Among the concerns would be not just primary data storage but if backups are outsourced.

Those are all issues that should be made clear. I absolutely agree that the customer should ask the SaaS vendor where and how their data is stored and receive assurances that the data (and any/all backups) are kept somewhere that the customer is comfortable with.

Thanks!

-B-

Hi Ben,

I think both you and Niki make some great points, but there's one point you make in your post I have to take issue with.

You say:

> But, as we've seen in our recent TOS reviews of Houdini and Clio, in some cases those
> third-parties are actually outsourcing the hosting to a FOURTH party.

I can't speak for Houdini, but neither in our ToS or in my reply to your comments on our ToS did the specter of fourth-party providers come into play. I don't think your "Russian Doll" scenario is a real concern - if a SaaS provider is using a third-party provider, it's likely a SAS 70 Level II-certified cloud computing infrastructure provider (or, in marketing speak, an "enterprise-class datacenter") - likely one of the large providers like Amazon Web Services, Rackspace, or Joyent. These third-party providers, as part of the SAS70 specification, can't just outsource their services willy-nilly in the fashion you're suggesting.

There are certainly data availability, security, and privacy concerns that a SaaS provider needs to address for its prospective customers, but I don't think the "we're using so many third-, fourth-, and fifth-party hosting we don't even know where your data is stored" is a response you'll hear back from a credible SaaS provider. If you do, run away as fast as you can.

Asking a SaaS provider where your data will be stored, and what third-party providers are being used, is a fair question to ask. So is asking if the third-party providers have permission to use their own third-party providers - after all, the SaaS provider has a legal agreement with their third-party provider that explicitly states where and how data will be stored. There should be no mysteries on this front.

Regards,
Jack

Ben -

Now if I could just get attorneys and business owners to understand that Google is just as much cloud computing as any paid vendor... but with no expectation of service thrown in to boot! ;)

A fight for another day!

Andrea

Aloha Nicole!

I think cloud computing is the wave of the future because it's got a low entry price and a one-size-fits all approach that makes it easy to get into. And I certainly agree that lawyers should familiarize themselves with it.

I do agree that the cloud providers are listening - I think Jack Newton's response today on my Clio post is a good example of that. Whether or not they make tangible changes to address the concerns remains to be seen, but I'll be optimistic.

Maybe a year from now the major concerns (geolocation, data access, encryption, etc.) will all be a thing of the past.

-B-